Podcast Episode 127: Donnie, Talk to China and Other Lessons from 2018

In this week’s episode of The Security Ledger Podcast (#127): cybersecurity’s smartest and funniest executive, David Aitel, the Chief Security Technical Officer at Cyxtera Technologies, joins us for this year end wrap up. We talk about the supply chain attack on Super Micro, China’s continued attacks on western firms, U.S. indictments of Russian and Chinese hackers and what 2019 may have in store.

Dave Aitel is the Chief Security Technical Officer at Cyxtera Technologies and the founder of Immunity Inc.

In case you missed the pattern: cyberattacks are hitting closer and closer to home. In 2018, they impacted not just our computers and smart phones, but the systems that we rely on to order our society and, literally, keep the lights on.

Looked at one way, 2018 may be remembered as the year when the pushing elevated to shoving between the world’s major cyber powers: with US indictments of leading Russian and Chinese cyber actors and reports of poisoned hardware and software supply chains affecting leading firms.

To talk about what we learned in the last year and what 2019 might have in store, we invited David A-Tel, the Chief Security Technical Officer at Cyxtera Technologies and the founder of Immunity Inc. to talk about the events of the past year, from the recent reports on the actions of APT-10, which has links to the government of China, to Bloomberg’s blockbuster story about a supply chain hack of motherboard maker super micro.

Donnie, Talk to China

In an era of nation state actors, Aitel observes, no hardware, software, company or person is safe from predation. Take the Bloomberg story about a supply chain compromise of SuperMicro. The publication of that story generated a flurry of denials from SuperMicro, Apple, Amazon and others named in it. But Aitel observes (correctly, I think) that – in the big picture – it doesn’t matter whether Bloomberg got the details of the story correct. What matters is that Bloomberg’s story about what happened really could have happened.

“Its almost more true if its not true,” Aitel tells me. “We know that what could happen in cyber always does happen in cyber. Someone going to fund it. Its not that expensive to do.”

In other words: an adversary who is willing and capable of interdicting and modifying hardware or physically invading your home or business is impossible to thwart. The solution, therefore, is to forge international agreements and codes of conduct between nation-state actors.

“Whether and not the details in particular for any of these things are correct, we need to have a massive equities discussion about what nation states will do to supply chains.” While the Trump administration may be trying to erect walls between the economies of China and the U.S., the future is more likely to see closer integration between the two. And that will demand cooperation and mutual understanding about what the boundaries are for things like supply chain hacking.

“We have massive government meetings about vulnerability equities processes and nobody wants to talk about what we will and won’t tell Cisco to do,” Aitel notes. “We need a policy: ‘in only the following cases will we manipulate supply chain. Then we need to take that norm to China and try to sell it.”

In this end of year podcast: Dave and I talk about the biggest stories of the year and also about what 2019 may have in store.

Author: PaulI'm an experienced writer, reporter and industry analyst with a decade of experience covering IT security, cyber security and hacking, and a fascination with the fast-emerging "Internet of Things."